Projects in Awesome Lists by AndrewRathbun

https://github.com/andrewrathbun/dfirartifactmuseum

The goal of this repo is to archive artifacts from all versions of various OS's and categorizing them by type. This will help with artifact validation processes as well as increase access to artifacts that may no longer be readily available anymore.

android artifacts-repository dfir ios linux macos windows

Last synced: 04 Apr 2025

https://github.com/AndrewRathbun/DFIRMindMaps

A repository of DFIR-related Mind Maps geared towards the visual learners!

dfir digitalforensics eztools kape mindmaps ntfs rdp tcpdump

Last synced: 07 Apr 2025

https://github.com/andrewrathbun/dfirmindmaps

A repository of DFIR-related Mind Maps geared towards the visual learners!

dfir digitalforensics eztools kape mindmaps ntfs rdp tcpdump

Last synced: 01 Mar 2025

https://github.com/andrewrathbun/vanillawindowsreference

A repo that contains recursive directory listings (using PowerShell) of a vanilla (clean) install of every Windows OS version to compare and see what's been added with each update. Use these CSVs to create your own known good hash sets!

dfir hashes incidentresponse research windows

Last synced: 05 Apr 2025

https://github.com/andrewrathbun/dfirregex

A repo to centralize some of the regular expressions I've found useful over the course of my DFIR career.

dfir digitalforensics eztools grep kape regex

Last synced: 01 Mar 2025

https://github.com/andrewrathbun/kape-eztoolsancillaryupdater

A script that updates KAPE (using Get-KAPEUpdate.ps1) as well as EZ Tools (within .\KAPE\Modules\bin) and the ancillary files that enhance the output of those tools

dfir digitalforensics eztools kape powershell powershell-script

Last synced: 13 Apr 2025

https://github.com/AndrewRathbun/KAPE-EZToolsAncillaryUpdater

A script that updates KAPE (using Get-KAPEUpdate.ps1) as well as EZ Tools (within .\KAPE\Modules\bin) and the ancillary files that enhance the output of those tools

dfir digitalforensics eztools kape powershell powershell-script

Last synced: 10 Apr 2025

https://github.com/andrewrathbun/vanillawindowsregistryhives

A repo that contains a recursive dump from the ROOT key of every Windows Registry hive (using KAPE) from a vanilla (clean) install of every Windows OS version to compare and see what's been added with each update.

dfir digitalforensics registry research windows

Last synced: 21 Mar 2025

https://github.com/andrewrathbun/dfirpowershellscripts

Various PowerShells scripts I've made (or others have made) to automate some of the boring stuff in my everyday DFIR journey!

computerforensics dfir digitalforensics eztools incident-response kape powershell

Last synced: 16 Mar 2025

https://github.com/andrewrathbun/eventtranscript.db-research

A repo for centralizing ongoing research on the new Windows 10/11 DFIR artifact, EventTranscript.db.

dfir digitalforensics eztools kape research-and-development windows10 windows11

Last synced: 21 Mar 2025

https://github.com/andrewrathbun/directoryopus-dfirconfig

A config file that's curated for DFIR examiners with shortcuts to common Windows artifacts and settings enabled that help make your life easier with various file management tasks.

dfir directoryopus poweruser

Last synced: 01 Mar 2025

https://github.com/andrewrathbun/sansgoldpaperresearch_for500_rathbun

A repository containing the research output from my GCFE Gold Paper which compared Windows 10 and Windows 11.

dfir giac research sans

Last synced: 01 Mar 2025

https://github.com/andrewrathbun/anti-forensics-vhdx

A sample VHDX file with multiple verbose examples of forensic and anti-forensics artifacts. Meant to be basic and can be expanded upon. Please add a new issue if you have an idea for something to add.

antiforensics computerforensics dfir digitalforensics kape

Last synced: 01 Mar 2025